Protecting Medical Office Records from Cyber Criminals

Protecting Medical Office Records from Cyber Criminals

What would you do if your patient data were stolen or a fire or flood destroyed your office?  Suppose your IP address was hacked by a cyber-criminal and all of your patient information was compromised. What would be your first step? With most medical records being stored digitally, it’s not a matter of if   you’ll experience an incident regarding your electronic patient information; it’s a matter of when. We read about data breaches every day. If Target, JP Morgan Chase, Neiman Marcus, and Sony can be breached, so can your practice.


Do you know why a medical practice is a prime target for cybercrime? It’s because patient files are worth between $500 and $1,000 per record to a hacker. They contain social security numbers, birthdates, and everything necessary for identity theft. How many patient files do you store? Multiply that by $1,000, and that’s what your data could be worth on the black market.

Technology is evolving rapidly in every industry. But in the medical industry, technology advancements are leading to more and more patient health information (PHI) theft and data breaches. Patient information is not being adequately protected. Computers, laptops, e-mail, mobile devices, and thumb drives all store and transmit PHI electronically. Without the proper controls in place, your patient information can easily fall into the wrong hands, exposing your practice to liability. There are a number of new HIPAA requirements, like having Business Associate Agreements, properly training employees, and creating policies and procedures, so that your practice is prepared for a data related incident.


Because of the many “incidents” being reported, HIPAA has clearly defined the steps that every practice must take when one occurs.  45 CFR § 164.304 defines a security incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with    system operations in an information system. The Security Incident Procedures standard at §64.308(a)(6)(i) requires a covered entity to:

  1. Implement policies and procedures to address security incidents.
  2. Identify and respond to suspected or known security incidents, and mitigate, to the extent practicable, the harmful effects of security incidents that are known to the covered entity.
  3. Document the security incidents and their outcomes.

Most practices are caught unprepared in the event of a data loss. HIPAA requires Emergency Disaster Recovery and Incident Response Plans, to clearly document the steps the practice will take in response to in emergency.  Failing to properly respond to a data related incident is a HIPAA violation and it leaves your practice exposed. For example, if a patient accuses you of a breach, there’s a theft, or your practice is notified by Visa/MC that credit card information was stolen from your office, you must know how to respond properly. This is where most practices run into trouble. Unfortunately, many practices are completely unprepared for instances such as these. Proactive planning and a clearly documented Incident Response Plan (IRP) are required by HIPAA and will help maintain continuity if an incident occurs. Putting in place an IRP may initially seem overwhelming, however, some simple steps can be taken to better prepare your practice:

  1. Designate a Security Officer to document an IRP
  2. Appoint an Incident Response Team
  3. Clearly define roles and responsibilities for each member and how they will react to a reported incident
  4. Purchase data breach insurance to ensure your practice has the resources to act on a data breach and  maintain operability
  5. Complete a MANDATORY HIPAA Risk Assessment.

Contact our office today to discover how we can help protect you, your practice, and your patients from cyber criminals.

Leave a Reply